Cyber security breaches a growing issue in the hotel industry

Sarah Brodsky

Mar 1, 2017

Hackers are targeting hotels in search of money and sensitive data. On February 3, IHG announced that it had discovered malware on computer servers used for restaurants and bars at 12 of its company-managed properties and that some guests’ credit card information had been stolen. And the New York Times reported that in January, hackers breached the electronic key system at an Austrian hotel, the Romantik Seehotel Jaegerwirt, and locked guests out of their rooms. The hackers demanded a payment of around $1,800, which the hotel’s managing director handed over.

Sapna Mangal, an associate professor in the School of Hospitality Management at Kendall College, says that cyber security breaches are a serious problem for hotels. “We, in the industry, have had a situation of heightened data breach in the last two years, and it was actually major hotel brands where data had been compromised,” she says.

Mangal says that all hotel employees need to be aware of cyber security threats. “It's in the interest of every employee to look out for their guests’ well-being,” she says. “As much as [guests] expect a physical building to be secure, they also expect that their data would be kept secure.” While protecting guests is paramount, an additional reason for hotel professionals to care about cyber security is that breaches hurt a hotel’s brand. “If you compromise your data, you're also, to an extent, tarnishing your brand name. It's everybody's job in the hotel environment to be a hotel brand ambassador.”

Hotels collect many different kinds of data, making them more attractive to data thieves than retail businesses, according to Mangal. “Retail is, you come in, you basically are just furnishing your credit card details, or things that are tied to the credit card like your name, and maybe your social security [number].” In contrast, there are “plenty of weak spots in the hospitality networks. We're not just looking at credit card data. Hotels also have contact details, travel plans, air miles, birthdays, personal preferences.” She adds, “And all this information could be used by criminals in a variety of different ways, ranging from fraud to extortion.”

Mangal encourages hotel operators to be careful when they store data and to make sure their information storage systems are up to the task. She says that in many cases, hotels’ systems are no longer adequate. Hotel operators are often reluctant to overhaul their systems because of the cost.

“We've come to a point where retail and banking have overhauled their older systems, and their legacy systems,” Mangal says. “And apparently our industry is still lagging in that area, so we're still contending with older systems and we're not moving up with the times.”

Mangal also recommends that hotels conduct security audits and look at all aspects of their systems to identify vulnerabilities. In particular, hotels should upgrade to chip-enabled credit card processing. “It's not a foolproof system, but it definitely does make it safer,” she says. She adds that hotels should foster of a culture of data security and establish policies and procedures to protect data. Training employees to follow best practices is also important.

In the future, Mangal says that hotel operators may want to invest in biometric technology and to use fingerprints or facial scans to restrict access to data. “A lot of companies now are looking at offering this as an option,” she says.

Mangal says that hotels are unlikely to hire more IT professionals directly but that they will continue to contract with firms that specialize in cyber security. “Indirectly, there is a growing need for specialists and IT or tech professionals” to upgrade hotels’ data security and to train employees, she says.

Mangal urges hotel operators to be proactive and anticipate cyber threats before hackers strike. Hackers don’t give any warning before they attack, so hotel operators have to be vigilant to protect their guests. She says, “We need to try to be two steps ahead.”